1

I created an organization (o=otherorg,dc=example,dc=com) inside my OpenLDAP server running on Debian stretch. Now I want to remove it, but no tool I tried allows me to. Below is a chunk of slapcat output I would like to remove the "dn: o=otherorg,dc=example,dc=com" entry I tried with:

ldapdelete -x -W -D "cn=admin,dc=example,dc=com" "o=otherorg,dc=example,dc=com"

I created a file named delete.ldif containing:

dn: o=otherorg,dc=example,dc=com
changetype: delete

and ran:

 ldapmodify -Y EXTERNAL -H ldapi:/// -f /path/to/delete.ldiff

All without success

dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.com
dc: example
structuralObjectClass: organization
entryUUID: 99585550-02ab-1038-9dc9-000000000000
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 19700101164420Z
entryCSN: 19700101164420.615825Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 19700101164420Z
contextCSN: 19700101173944.872394Z#000000#000#000000
contextCSN: 19700101173733.720551Z#000000#001#000000

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
structuralObjectClass: organizationalRole
creatorsName: cn=admin,dc=example,dc=com
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
entryUUID: 995956ee-02ab-1038-9dca-000000000000
createTimestamp: 19700101164420Z
entryCSN: 19700101164420.622825Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 19700101164420Z

dn: o=otherorg,dc=example,dc=com
entryUUID: 7a6cd5be-02b3-1038-8346-000000000000
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 19700101173944Z
entryCSN: 19700101173944.872394Z#000000#000#000000
objectClass: top
objectClass: glue
structuralObjectClass: glue
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 19700101173944Z
rda
  • 1,947
  • 1
  • 13
  • 22
Qippur
  • 135
  • 1
  • 10
  • It is a magical `glue` object, which exists and doesn't exist at the same time. Try the `-M` option. Or slapcat, manual edit and slapadd back. See also http://blog.mycroes.nl/2010/06/recovering-from-glue-objects-in.html?m=1 – rda Jun 17 '18 at 11:55
  • The -M option with ldapdelete worked. Thank you According to ldapdelete manual: -M[M] Enable manage DSA IT control. -MM makes control critical. Now I know it works, but still, the option is obscure to me. – Qippur Jun 18 '18 at 06:21
  • 1
    I added an answer. You should not add `[SOLVED]` to the title. – rda Jun 18 '18 at 06:59
  • Sorry, newbie here; not aware of the rules. Your reply solved my problem. What is the correct way to handle this situation? Thanks – Qippur Jun 18 '18 at 11:07
  • No problem at all. Questions are "solved" here, when an answer is accepted. If for example my answer here solves your problem, you can mark it as accepted solution. If for example you figured it out yourself, you would add your own answer with your solution and accept it (after 48h waiting period). See also https://stackoverflow.com/help/someone-answers, https://stackoverflow.com/help/accepted-answer – rda Jun 18 '18 at 11:18
  • Thanks. I marked your answer as accepted. Should I remove the [SOLVED] tag in the header anyway? – Qippur Jun 18 '18 at 15:01

1 Answers1

1

An entry can be deleted using:

ldapdelete <dn>

or recursively:

ldapdelete -r <dn>

However, the entry you are trying to delete is a glue entry, which can't be operated on using normal LDAP operations. This glue is used in referrals, when a sub-tree is managed by another DSA. They are also used by syncrepl as shadow databases and may also appear due to replication problems.

To treat such entries as normal entries, add the -M option to ldapsearch, ldapmodify or ldapdelete. Delete this type of entry using:

ldapdelete -M <dn>

This option sends the manageDsaIT control, see rfc3296:

The client may provide the ManageDsaIT control with an operation to indicate that the operation is intended to manage objects within the DSA (server) Information Tree. The control causes Directory-specific entries (DSEs), regardless of type, to be treated as normal entries allowing clients to interrogate and update these entries using LDAP operations.

rda
  • 1,947
  • 1
  • 13
  • 22